CVE-2026-45897

Summary

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nft_counter: serialize reset with spinlock

Add a global static spinlock to serialize counter fetch+reset operations, preventing concurrent dump-and-reset from underrunning values.

The lock is taken before fetching the total so that two parallel resets cannot both read the same counter values and then both subtract them.

A global lock is used for simplicity since resets are infrequent. If this becomes a bottleneck, it can be replaced with a per-net lock later.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux3cb03edb4de33fd04c4ea55f47397b96a8657c53 < 0cdc6d5a26f2d1f7f15a43526841b679445c32e2affected
LinuxLinux3cb03edb4de33fd04c4ea55f47397b96a8657c53 < 779c60a5190c42689534172f4b49e927c9959e4eaffected
LinuxLinuxfb1adb05ea87b6149e65a31e511756c4f470d0cdaffected
LinuxLinuxf123293db16dcd0cd81b246ae60e6362f0025d0aaffected
LinuxLinux6.1.107 < 6.2affected
LinuxLinux6.6.48 < 6.7affected
LinuxLinux6.7affected
LinuxLinux0 < 6.7unaffected
LinuxLinux6.19.4 <= 6.19.*unaffected
LinuxLinux7.0 <= *unaffected

Weaknesses

References